[OpenID] [security] Trust + Security @ OpenID

Peter Williams pwilliams at rapattoni.com
Sat Jul 21 18:37:24 UTC 2007 

I get to talk to 1.3 million consumers - individual contractors who each exhibit both business and individual usage profiles and behaviors, while using 4 PCs. 3 of them are unmanaged , poor security, Windows HomeXP edition machines, often managed by 13 year boys who typically also have a fascination for porn. Virus problems are rampant, mainly due to the porn angle. It’s pointless trying to educate 13year olds to avoid porn sites.

 

 15% of GDP currently directly depends on those Microsoft machines! Only 25% of them are professionally managed.  There is nothing one can do about that, as the Realtor is an independent contractor. The Realtor will not be allowed that designation, if one starts to control their workplace.; they become designated employees, with a cost basis that realty cannot sustain for 1.3 million persons. 

 

The realtor is also necessarily entirely mobile, expecting to use whatever  PC at café, whatever PC at homeowner’s house, whatever PC as showing house, whatever PC(s) at home, …or some browser on their internet phone. 

 

Realtors do also use well secured, well-managed PC operated by larger brokers – if they work out of _major_ broker’s office (only). Most realtors do not. Most work out of jimmy smiths brokerage, with a bestbuy installed network ….. of window Home XP PCs, running in admin mode. Public PCs abound; just sit down and use it – no network login required!

 

An interesting group! with interesting security management dynamics. And this groups represents a challenge - to see how one might apply all this high-power military crypto stuff we here get to design with… in that unmanaged environment.

 

 

Now to the point!

 

To this interesting consumer set, there seems to be two expectations, operating at different levels, concerning blogging:-

 

-          The desire to control (social networking style) which other OpenIDers can add comment’s on a  blog. By controlling one’s comment-policy, one gets to achieve some political end – the reason why one bother’s to craft a rant campaign in the first place:

o   E.g. Perhaps some user posts something innocuous but socio-political to his/her blogsite – and only allows the known-horrid-group of responders to publicly comment ….thus helping achieving the political goal of polarizing society….so see it Robert Heinlein was right in his fictional-form arguments on the appropriate place for Fascism in America,  etc.

 

-          The desire to exclude anyone from certain OpenID Providers or delegated OpenID Providers:

o   E.g. Anyone using an OpenID even partly associated with MSN is inherently braindead to start with – as MSN is a Microsoft technology. I deny the class of OpenIDers using MSN, as a protest in favor of my preference for Apple products.  An opinion. 

o   E.g. Anyone from a Rapattoni  membership system OpenID is inherently old-school realty, as the future of realty is in web2.0 where tech will allow “lendingtree.com” OpenIDs to dis-intermediate. Another opinion.

 

If RDF files address 1, and HTTP1.1 TLS tunnel upgrade processes addresses 2, we may have what we need – pulling these two from the technology shelf.

 

What we need now are  protocols hooks and UI concepts that implement these raw technologies in a fashion that consumers can manage – and thus impose their view of trustworthiness on the world – as they see it.

 

 

From: Eddy Nigg (StartCom Ltd.) [mailto:eddy_nigg at startcom.org] 
Sent: Saturday, July 21, 2007 9:46 AM
To: Peter Williams
Cc: Eric Norman; OpenID List; OpenID List
Subject: Re: [OpenID] [security] Trust + Security @ OpenID

 

... Hi Peter, just saw your blog...
... Who installed wordpress (or whatever) for you?
 ... You did? 
... Ahhh...you also installed a few plugins?
... Really?
 ... You also added the OpenID login option to your blog?
 ... Very nice...job well done!

Now tell me why should it be any different for having OpenID login including some "trust" mechanism? Did you develop wordpress in order to blog on your web site?

Peter Williams wrote: 

I'm a blogger. I want to allow other commentators to add to my rant, logging in using their openid.I want to decide which openid providers I trust. I have no faith whatsoever in the decisions of google - my blogsite operator - on this score.
 
I'm a blogger....not an apache/iis admin skilled in IT.
 
How do we design for this? 
 
10000 bloggers, 10000 trust models during reliance. 10000 trust stores in iis/apache?
  

huuu? Perhaps 1 trust model would be good already. 



 
-----Original Message-----
From: "Eddy Nigg (StartCom Ltd.)" <eddy_nigg at startcom.org> <mailto:eddy_nigg at startcom.org> 
To: "Eric Norman" <ejnorman at doit.wisc.edu> <mailto:ejnorman at doit.wisc.edu> 
Cc: "OpenID List" <security at openid.net> <mailto:security at openid.net> ; "OpenID List" <general at openid.net> <mailto:general at openid.net> 
Sent: 7/21/07 7:04 AM
Subject: Re: [OpenID] [security]  Trust + Security @ OpenID
 
Apache web servers come many times with a CA bundle installed (mostly 
Linux distributions). This is usually a dump from the NSS (Mozilla) 
store. One can add easily more PEM encoded certificate to that bundle - 
all the ones you want to trust. Implementation can require valid 
certificates traceable back to a root in the CA bundle.
 
I don't know much about IIS (anymore), but I guess the same could be 
possible there, using the local machine store.
 
Eric Norman wrote:
  

	On Jul 20, 2007, at 8:30 AM, Johnathan Nightingale wrote:
	 
	  
	    

		As Dmitry observes, the protection it offers is useless if there are 
		http (i.e. non-SSL/TLS) links in the chain.
		    
		      

	True enough.  But there's more.  Many will argue that such
	protection is also useless unless the correct trust anchors
	(some folks call them "root" certificates) are deployed at
	the correct places.  This is far easier to say then accomplish.
	 
	Eric Norman
	http://ejnorman.blogspot.com
	 
	_______________________________________________
	security mailing list
	security at openid.net
	http://openid.net/mailman/listinfo/security
	  
	    

 
  

 

-- 

Regards

 

Signer:      Eddy Nigg, StartCom Ltd.

Jabber:      startcom at startcom.org

Phone:       +1.213.341.0390

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070721/bc500d4f/attachment-0002.htm>

More information about the general mailing list